Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. The specific conditions that could lead to a security issue for vulnerability are: 1. The specific target resource of the attack must be using the forwarded authorization integration; 2. The requested domain must have two additional segments compared to a session domain i.e. a.b.example.com is requested, but the session domain is example.com; 3. There access control rules must specify two separate rules which both contain inexact domain matches such as *.b.example.com and *.example.com i.e. wildcards, username matches, group matches; 4. The rules must be in order of most specific domain to least specific domain; 5. The second rule must be more permissive than the first rule; 6. The attacker must specifically request a URL for the more specific domain, with the second part containing one or more capitalized letters i.e. https://a.B.example.com and no other segment with capitalized letters; 7. The integration used must not be the Envoy ExtAuthz integration; and 8. The proxy must not canonicalize the requested host name in the relevant header before sending it to the relevant authorization endpoint. The kind of configuration used to produce this issue and result in a bypass rule being matched has long been highly discouraged. Essentially hosts which should be bypassed entirely should not be secured by having the proxy check them with the authorization handlers. Upgrade to 4.39.20 to receive a patch.
CVE-2026-48794
This low-severity CVE scores 1.3 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.3%, top 80% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 1.3
- EG Score
- 1.3(medium)
- EPSS
- 20.1%
- KEV
- Not listed
Published
June 19, 2026
Last Modified
June 23, 2026
References (2)
- security-advisories@githubhttps://github.com/authelia/authelia/commit/b6d1d60baa02f216fdb19f5dfeaf2e805829508a
- security-advisories@githubhttps://github.com/authelia/authelia/security/advisories/GHSA-j748-h363-wqj8
Vendor Advisories for CVE-2026-48794(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 8× in last 7d / 23× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 12:17 UTCEG score recompute
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-02 09:23 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 06:27 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 03:29 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 00:34 UTCEG score recompute
- 2026-06-19 21:38 UTCEG score recompute
- 2026-06-19 21:37 UTCNVD updatefirst tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-863 · CWE-178
Frequently asked(5)
What is CVE-2026-48794?
When was CVE-2026-48794 disclosed?
Is CVE-2026-48794 actively exploited?
What is the CVSS score of CVE-2026-48794?
How do I remediate CVE-2026-48794?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-48794
Is Your Infrastructure Affected by CVE-2026-48794?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.